The malicious tools, certificates used and a GitHub account, led the members of the MSTIC to this company which works in cybermercenary. The attack was dubbed Knotweed by. It was in May 2022 that MSTIC discovered remote code execution via Adobe Reader. It was associated with a fault zero day Windows now identified as CVE-2022-22047 and since fixed.
The vulnerability allowed elevation of privilege in order to take control of the computer. The payload was malware developed by DSRIF dubbed SubZero. It grants full control to the compromised system. It was hosted in a PDF document or an Excel file with macros sent to the victim via email.
That a private company specializing inperforming this kind of operation is nothing new. This was the case last year with the Israeli company NSO and its software for which targeted journalists, lawyers, politicians and activists. The clients of these companies are very often states.